- The FBI has seized BlackCat ransomware group’s servers, hosting decryption keys.
- The FBI has also provided a decryption tool to victims after seizing BlackCat’s site.
- However, the BlackCat ransomware group claims to have seized the site back.
The BlackCat ransomware group has been around since November 2021. Also known as ALPHV and Noberus, the BlackCat ransomware is the second most prolific ransomware group in the world. It relies on stolen credentials obtained through initial access brokers.
Using the Ransomware-as-a-Service model, the group offers malware to affiliates to use in launching cyberattacks, and ends up taking a percentage of the ransomware payments. The group has targeted hundreds of organizations worldwide, with more than a thousand victims recorded. Victims range from government entities and healthcare organizations to schools, defense industrial base companies and critical manufacturing facilities.
Two of the gang’s more recent victims include MGM Resorts and Henry Schein Inc., a healthcare organization that suffered two BlackCat attacks in just one month. The Reddit hack earlier this year was also caused by the BlackCat ransomware group.
According to reports, BlackCat-affiliated threat actors typically request ransom payments of several million dollars in Bitcoin and Monero and have accepted ransom payments below the initial ransom demand amount. The group behind BlackCat utilizes mostly double extortion tactics but sometimes includes triple extortion, which involves exposing exfiltrated data and threatening to launch distributed denial-of-service (DDoS) attacks on victims’ infrastructure.
The FBI explained that many of the developers and money launderers for BlackCat are linked to DarkSide or Blackmatter. This indicates that they have extensive networks and experience with ransomware operations. In fact, the FBI has been investigating the ransomware group for some time and may have finally found a way to deal with it.
A big win for law enforcement
The Justice Department in the US has announced that the FBI has been successful in disrupting some of the activities of the BlackCat ransomware group. The FBI developed a decryption tool that allowed FBI field offices across the country and law enforcement partners around the world to offer over 500 affected victims the capability to restore their systems.
The decryption key has allowed victims to avoid paying the ransom demands, which total approximately US$68 million. The FBI has worked with dozens of victims in the United States and internationally to implement this solution. In the Southern District of Florida, the FBI has also gained visibility into the BlackCat ransomware group’s computer network as part of the investigation and has seized several websites that the group operated.
Deputy Attorney General Lisa O. Monaco said that the disruption of the BlackCat ransomware group had allowed the Justice Department to hack the hackers once again.
“With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and healthcare and emergency services were able to come back online. We will continue to prioritize disruptions and place victims at the center of our strategy to dismantle the ecosystem fueling cybercrime,” said Monaco.
Meanwhile, FBI Deputy Director Paul Abbate commented that the agency continues to bring cybercriminals to justice, determined in its efforts to defeat and disrupt ransomware campaigns targeting critical infrastructure, the private sector, and beyond.
“Helping victims of crime is the FBI’s highest priority and is reflected here in the provision of tools to assist those victimized in decrypting compromised networks and systems. The FBI will continue to aggressively pursue these criminal actors wherever they attempt to hide and ensure they are brought to justice and held accountable under the law,” said Abbate.
What did the FBI seize?
The unsealed warrant stated that BlackCat actors have compromised computer networks in the United States and worldwide. The disruptions caused by the ransomware variant have affected US critical infrastructure – including government facilities, emergency services, defense industrial base companies, critical manufacturing, and healthcare and public health facilities – as well as other corporations, government entities, and schools. The loss amount globally is in the hundreds of millions of dollars and includes ransom payments, destruction and theft of proprietary data, and costs associated with incident response.
The unsealed warrant detailed that the FBI had seized the domain for BlackCat’s data leak site. Bleeping Computer reported that the site now displays a banner stating that it was seized in an international law enforcement operation. The website was seized after the FBI obtained the public and private key pairs for the Tor hidden services under which the website operated, allowing it to take control of the URLs.
“During this investigation, law enforcement gained visibility into the Blackcat Ransomware Group’s network,” reads an unsealed search warrant.
“As a result, the FBI identified and collected 946 public/private key pairs for Tor sites that the Blackcat Ransomware Group used to host victim communication sites, leak sites, and affiliate panels like the ones described above.”
“The FBI has saved these public/private key pairs to the flash drive.”
The seizure message explains that the law enforcement operation was conducted by police and investigative agencies from the US, Europol, Denmark, Germany, UK, Netherlands, Germany, Australia, Spain, and Austria.
BlackCat ransomware acknowledges disruption
While the disruption of BlackCat’s network is acknowledged by the group, there is still some optimism among it. Bleeping Computer reported that the ransomware group has unseized its data leak site to regain control of the URL. It also claimed that the FBI only gained access to a data center it was using to host servers.
If the FBI only gained access to decryption keys in the last month and a half, the number only represents around 400 companies. The ransomware group added that following this, 3,000 other victims will now lose their keys. The ransomware group also said it would remove all restrictions from its affiliates, allowing them to target any organization they wished, including critical infrastructure. A declaration of ransomwar?
Given the claims by the ransomware group, businesses should be prepared to face any form of cyberattack and be on their highest alert. While the FBI and other law enforcement agencies are working to clamp down on these cybercriminals, businesses also need to be vigilant and ensure that there is no compromise in their cybersecurity, especially with the holiday season around the corner.